The commissioner plans to take Facebook to federal court because the social media giant is allegedly refusing to implement the commissioner's recommendations to strengthen its privacy controls.

"Facebook's refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company," Privacy Commissioner Daniel Therrien says in a statement. "Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection."

Daniel Therrien

Therrien says that Facebook has dismissed the findings as "opinions." He adds: "It is untenable that organizations are allowed to reject my office's legal findings as mere opinions."

Canada's privacy commissioner cannot levy fines or serve orders that would make its recommendations binding. But it can go to federal court, which could force Facebook to make changes. Therrien used the situation to make arguments that Canada's federal privacy law should be strengthened.

Facebook says it offered "concrete measures" to address the recommendations and offered to enter into a compliance agreement.

"After many months of good-faith cooperation and lengthy negotiations, we are disappointed that the OPC considers the issues raised in this report unresolved," the company says.

Therrien's comments point to less of a privacy problem and more of a democracy one "because big companies now see laws as mere suggestions," writes Matt Stoller, a fellow at the Open Markets Institute.

"What's amazing is that the Canadian privacy commissioner told Facebook 'Here's how you're violating the law, here's how to stop breaking the law. Please do so.' And Facebook's response was, 'No'," Stoller writes in a tweet.

The subtext of the FB scandal is the systemic breakdown of the rule of law over the past four decades. We don't think about business law as social justice-y but it is. This isn't a privacy problem, it's a democracy problem because big companies now see laws as mere suggestions.

Violation: No Meaningful Consent

Canada investigated Facebook in 2009, finding that the company sought "overly broad, uninformed consent for disclosures of personal information to third-party apps, as well as inadequate monitoring to protect against unauthorized access by those apps."

As a result of that investigation, Canada says it made recommendations but Facebook didn't follow them.

The privacy commissioner launched another investigation in March 2018. The investigation focused on data sharing and third-party apps, including whether Canadians' personal data was exposed to Cambridge Analytica, a U.K.-based voter profiling firm. It also looked at Facebook's consent mechanisms.

It's unclear if Canadian data was passed to Cambridge Analytica, although Facebook says it wasn't. But the privacy commissioner concluded that Facebook allowed a personality quiz called "This Is Your Digital Life" to collect personal data without proper consent.

At the time when the app was deployed, Facebook allowed apps to not only collect the data of those who directly used the app, but also of their friends. The data of about 622,000 Canadians was scooped up by "This Is Your Digital Life," the privacy commissioner says.

Canada's privacy commissioner found that Facebook failed to obtain meaningful consent from users and relied on app developers to gain that consent. Also, consent was not gained from friends of people who used apps to collect their data. The social network also failed to ensure that app developers abided by data-sharing terms, the commissioner says.

The regulator has given recommendations to Facebook to bring it into compliance with Canada's Personal Information Protection and Electronic Documents Act and the Personal Information Protection Act.

"We are disappointed that Facebook either outright rejected, or refused to implement our recommendations in any manner acceptable to our offices," the commissioner says.

Inquiries, Lawsuits Roll On

Facebook is still dealing with numerous regulatory inquiries and lawsuits related to Cambridge Analytica and other data-sharing practices.

In October 2018, the U.K.'s Information Commissioner's office handed Facebook its maximum fine, £500,000 ($645,000), over Cambridge Analytica. On Wednesday, Facebook said it was setting aside $3 billion from its first quarter profits this year to cover a potential fine from the U.S. Federal Trade Commission that could be up to $5 billion (see: Facebook Takes $3 Billion Hit, Anticipating FTC Fine).

The FTC is investigating whether Facebook violated a 2012 settlement agreement that required it to put stricter control on how it managed and shared personal data. The agency had accused Facebook of making personal data of users public without their consent.

Also on Thursday, Reuters reported that Ireland's Data Protection Commissioner has opened an investigation into a Facebook password storage error. Facebook stored hundreds of millions of plain text passwords its social network and Instagram users. The passwords should have been stored as hashes.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.